Thursday, 11 December 2014

Bringing Data Protection Home? The CJEU rules on data protection law and home CCTV

Lorna
Woods, Professor of Law, University of Essex

Does EU data protection law apply to home
CCTV cameras? The CJEU addressed that issue yesterday in the judgment in Case
C-212/13 Ryneš v. Úřad pro ochranuosobníchúdajů. In its judgment, the
Fourth Chamber of the Court agrees with the Advocate-General's opinion (discussed here), although it avoids some of the
difficult questions hinted at in that opinion.

This judgment is significant in two ways.
First, it has potentially broader application than just to fixed surveillance
devices and could indicate the way data recording devices are used in public
spaces even by private individuals.Second, it forms part of a train of judgments highlighting the
significance of data protection for individuals. This significance is perhaps
reflected in the fact that eight member States made submissions before the
court.

Facts

Mr Ryneš
and his family had for several years been subjected to attacks by persons whom
it had not been possible to identify and the windows of the family home had
been broken on several occasions.As a
result, he installed CCTV cameras under the eaves of his house.The camera was installed in a fixed position
and could not turn; it recorded the entrance to his home, the public footpath
and the entrance to the house opposite.The images were recorded to hard drive, and subsequently over-written by
new recordings.A further attack took
place but it was possible to identify the suspects because of the CCTV.The recording was handed over to the police
and relied on in the course of the subsequent criminal proceedings.One of the suspects challenged the use of CCTV
in this way: arguing that Mr Ryneš had not complied with the Czech rules
implementing the EU Data Protection Directive (DPD). Mr Ryneš essentially
argued that the matter did not come within the DPD because of the application
of the ‘household exception’ in Article 3(2) DPD. It was the scope of that
provision that was referred to the CJEU by the national court.

Judgment

The Court began by
confirming that CCTV surveillance in principle constitutes the processing of
personal data so far as it makes it possible to identify the person concerned
[paras 22-25].The Court then turned its
attention to the question of whether the situation escaped the application of
the DPD in so far as it is carried out ‘in the course of a purely personal or
household activity’ for the purposes of the second indent of Article 3(2)
DPD.

The Court
emphasised that the purpose of the DPD is to ensure a high level of protection
for personal data – seen as part of an individual’s privacy and in so doing
referred to Google Spain and Google (C‑131/12), and that, following IPI (C‑473/12,
para 39) and Digital Rights Ireland and Others(C‑293/12 and C‑594/12,
para 52) restrictions on data protection must apply on so far as strictly
necessary [para 28].Further, the DPD
must be construed in the light of the Charter. These factors meant that Article
3(2) DPD should be construed narrowly [para 29]. In the Court’s view this
approach followed also from the wording of Article 3(2) in any event: the use
of the word ‘purely’ indicates a narrow range of circumstances. Following the
reasoning of the Advocate General, the Court held that:

‘To the extent that video surveillance such as that at issue in the
main proceedings covers, even partially, a public space and is accordingly
directed outwards from the private setting of the person processing the data in
that manner, it cannot be regarded as an activity which is a purely ‘personal
or household’ activity for the purposes of the second indent of
Article 3(2) of Directive 95/46.’ [para 33]

While the DPD
applies, the Court noted the possibility of the data controller’s legitimate
interests and other possible exceptions in the Directive being taken into
account [para 34] although the Court did not elaborate further on such
balancing in this instance.

Comment

This case is not
the first case that has considered the scope of the ‘household exception’: Lindqvist(C-101/01) was the first,
which held that the ‘household exception’ did not apply to the posting of
information on a web site. According to the Court then, the exception clearly
did not apply because the making available of information to an indefinite
number of people was not an activity carried out in the course of the private
or family life of an individual.The reasoning
here is not clear, and is replete with assumptions (what is the position of an
on-line personal diary, for example?). It is perhaps because of the lack of
clarity that the Court here did not cite Lindqvist
– a rather noticeable omission otherwise.Rather it, like the Advocate-General before it, went back to first
principles about the value and status of data protection. This is the beginning
of a stream of data protection cases – arising in very different circumstances
– in which the Court has repeatedly ascribed a high value to data protection
and the protection of privacy. These cases then should be seen not as isolated,
but as part of consistent body of rulings on this point.What was clearer from the Opinion in this
case was the fact that this high value ascribed to the protection of personal
data applies as between individuals, as well as constraining the activities of
the State.

While it might
be standard practice to view exceptions as to be construed narrowly, the Court
does not give us much information as to how to define this in practice. What we
have instead is the assertion that something that impinges on a public space
cannot be ‘purely’ private. Balancing of interests takes place as a consequence
within the framework of the DPD, essentially by virtue of Article 7(f)DPD,
which allows data processing to take place in the legitimate interests of the
data controller (in this case, the homeowner interested in protecting his
security), balanced against the interests of the data subject (the criminal
suspects in this case), rather than by determining whether the DPD applies or
not.This approach probably allows for a
more subtle approach to the question of respective interests, although as
Article 29 Working Party (the advisory body made up of national data protection
supervisors) have noted there is not much consistency across the Member States
on how to interpret Article 7(f) DPD (Opinion 06/2014).There has been concern that, given the
openness of its wording, Article 7(f) could be used to undermine the
effectiveness of data protection.Here,
presumably protection of private property would weigh heavily (the Article 29
Working Party give security as an example of a ‘legitimate interest’), though
the balancing of interests might be different in the context of someone passing
in the street and someone visiting the house opposite.

This then leads
us to the question of when else the principles in Ryneš might apply.The
obvious example is devices capable of recording personal data in public spaces.
In addition to CCTV, drones and body worn video used by local authorities and
the police in the law enforcement context, we should think here about mobile
phones with cameras and devices such as Google glass, which have already been
flagged up as potentially problematic in regulatory terms. While Google may
have taken steps to improve privacy by design in this device, this does not
absolve users from responsibility under the data protection regime if it
applies to them. If we take the approach
that even partial public use of a fixed CCTV system cannot benefit from the
household exception, still less would a portable, possibly inconspicuous device
the purpose of which is uncertain.The
reasoning seems stronger still if we consider the possible onward use of such data
– via a website for example (though note the Article 29 Working Party’s view on
social networking sites in Opinion 5/2009)– taking into account the view in Lindqvist.Here it is less clear to see that the
legitimate interests of the data controller (ie the person using the device to
record and store personal data),assuming the processing were to be deemed
‘necessary’ to pursue that interest, would weigh heavily against a high level
of protection for data protection even as between individuals (see views of
Article 29 Working Party on freedom of expression arguments in this context).

How might this judgment
apply to specific cases? A parent would have a legitimate interest in
photographing or filming his or her children or friends, although there might
be constraints (taking account of the Peck v UK judgment of the European
Court of Human Rights, where Article 8 ECHR was breached after CCTV footage of
an attempted suicide was shown on national television) on how much such footage
might be shared in future. Indeed, broad sharing of those images (for example
uploading to a website without privacy protection as in Lindqvist) could constitute an act of processing outside the
household exception, which should therefore comply with DPD requirements
too.Photographs taken within the
context of private and family life but then used by journalists presumably also
fall within the scope of the Directive, although in that case the relevant
provision would be the rather general clause which provides for balancing the
right to privacy and the freedom of expression.

CCTV cameras
which fully face public streets and areas open to the public like shopping
malls are obviously covered by the Directive, so processing must comply with
the requirements of Article 6 of the Directive unless any other exceptions are
applicable. CCTV used in workplaces would obviously not
fall within the scope of the household exception, so the requirements of the
DPD regarding processing would apply. Depending on the nature of the footage
there would be further limits on sharing that footage (images of hospital
patients, for instance, would reveal sensitive data about their health). Finally,
there might be hybrid locations which are both public and private (for
instance, a care home is both a residence and a workplace). Given that the
Court has emphasised the household exception arises only when the processing
can be tied ‘purely’ to private and family life hybrid locations are unlikely
to be considered within the household exception. In the example of the care home, this is
especially likely to be true given that the data controller is likely to be the
operator of the care home using CCTV for operational reasons, rather than private
ones. Of course, it would still be possible to justify the use of CCTV in such
cases in accordance with the Directive.